CN115987650A - Data access method and device, storage medium and electronic equipment - Google Patents

Data access method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN115987650A
CN115987650A CN202211678550.XA CN202211678550A CN115987650A CN 115987650 A CN115987650 A CN 115987650A CN 202211678550 A CN202211678550 A CN 202211678550A CN 115987650 A CN115987650 A CN 115987650A
Authority
CN
China
Prior art keywords
user
identification number
client
service data
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211678550.XA
Other languages
Chinese (zh)
Inventor
马会交
郭立春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211678550.XA priority Critical patent/CN115987650A/en
Publication of CN115987650A publication Critical patent/CN115987650A/en
Pending legal-status Critical Current

Links

Images

Abstract

Some embodiments of the present application provide a method, an apparatus, a storage medium, and an electronic device for data access, where the method includes: receiving a service request sent by a client, wherein the service request carries a session token, a user virtual identification number and a service data request, and the user virtual identification number is randomly generated based on a user real identification number; acquiring original service data corresponding to the service data request under the condition that the verification result of the user identity of the client is confirmed to be passed through the session token and the user virtual identification number; and processing the original service data to obtain target service data, and sending the target service data to the client. Some embodiments of the application can prevent data from being accessed by unauthorized, and the security is high.

Description

Data access method and device, storage medium and electronic equipment
Technical Field
The present application relates to the field of data access technologies, and in particular, to a method and an apparatus for data access, a storage medium, and an electronic device.
Background
Unauthorized Access Control (BAC) is a common vulnerability in Web applications, and is listed as one of ten potential safety hazards in Web applications due to its wide range and great harm.
At present, in order to prevent the unauthorized access of data, after receiving an operation request from a user, a Web layer needs to check the validity of the request before executing an operation corresponding to the operation request. The defense level unauthorized access method is to acquire user information from the token and to verify whether the user has the authority to operate data before executing data operation. The method for defending vertical unauthorized access is that a menu is loaded through corresponding roles and authorities in a database, and authority verification of a user is required before each page is loaded. However, as the service system becomes more and more complex, the number of operation requests to the Web application program becomes more and more, the data volume becomes more and more huge, and the mode of checking the operation requests one by one has lower efficiency and a tedious process.
Therefore, how to provide a method for accessing data with high efficiency and high security becomes an urgent technical problem to be solved.
Disclosure of Invention
Some embodiments of the present application aim to provide a data access method, an apparatus, a storage medium, and an electronic device, which can improve the security and efficiency of data access and effectively prevent the occurrence of a data unauthorized access hole.
In a first aspect, some embodiments of the present application provide a method of data access, including: receiving a service request sent by a client, wherein the service request carries a session token, a user virtual identification number and a service data request, and the user virtual identification number is randomly generated based on a user real identification number; acquiring original service data corresponding to the service data request under the condition that the verification result of the user identity of the client is confirmed to be passed through the session token and the user virtual identification number; and processing the original service data to obtain target service data, and sending the target service data to the client.
Some embodiments of the present application send a service request to a client by using a session token and a user virtual identification number, and obtain original service data after confirming a user identity of the client. And processing the original service data to obtain target service data and sending the target service data to the client. The embodiment can access the service data under the condition that the real user identification number and the user information of the client are not exposed, can ensure the safety transmission of the data through the replacement processing of the original service data, prevents the exposure of important data information, and can effectively prevent the occurrence of data unauthorized access holes while improving the safety and the efficiency of data access.
In some embodiments, the determining, by the session token and the user virtual identification number, that the verification result of the user identity of the client is a pass result includes: decrypting the session token by using the decryption key, and acquiring first user information in the session token after decryption is successful; searching second user information corresponding to the user virtual identification number; and if the first user information is confirmed to be consistent with the second user information, the verification result of the user identity is passed.
According to some embodiments of the application, the session token is decrypted to obtain the first user information, the second user information is obtained by searching the user virtual identification number, the user identity can be verified to pass the verification result under the condition that the first user information and the second user information are consistent, the user identity can be accurately verified, and the data access safety is improved.
In some embodiments, the method further comprises: if the first user information and the second user information are confirmed to be inconsistent, the verification result of the user identity is failed; and sending the verification result to the client.
Some embodiments of the application may ensure security of data access by determining that the user identity is incorrect and informing the client when the first user information and the second user information are inconsistent.
In some embodiments, the processing the original service data to obtain target service data includes: acquiring a service identification number in the original service data; randomly generating and storing the service virtual identification number corresponding to the service identification number; and replacing the service identification number with the service virtual identification number to obtain the target service data.
According to some embodiments of the application, the actual service identification number in the original service data is replaced by the service virtual identification number generated randomly to obtain the target service data, so that replacement hidden transmission of the actual data can be realized, the security is high, and unauthorized access of the data is effectively prevented.
In some embodiments, before the receiving the service request sent by the client, the method further includes: receiving login authentication operation sent by the client, wherein the login authentication operation carries user identity information, and the user identity information comprises a login name and a password; when the verification result of the user identity information is confirmed to be passed, encrypting the user identity information by using an encryption key to obtain the session token; randomly generating and storing a user virtual identification number corresponding to the user real identification number; and sending the session token and the user virtual identification number to the client.
According to some embodiments of the application, after the login authentication operation of the client is verified, the user identity information is encrypted and replaced to obtain the session token and the user virtual identification number, and the session token and the user virtual identification number are sent to the client, so that the hidden transmission of the user identity information can be realized, and the security is high.
In a second aspect, some embodiments of the present application provide an apparatus for data access, including: the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is configured to receive a service request sent by a client, the service request carries a session token, a user virtual identification number and a service data request, and the user virtual identification number is randomly generated based on a user real identification number; a confirmation module configured to acquire original service data corresponding to the service data request when confirming that the verification result of the user identity of the client passes through the session token and the user virtual identification number; and the sending module is configured to process the original service data to obtain target service data and send the target service data to the client.
In some embodiments, the confirmation module is configured to: decrypting the session token by using the decryption key, and acquiring first user information in the session token after decryption is successful; searching second user information corresponding to the user virtual identification number; and if the first user information is confirmed to be consistent with the second user information, the verification result of the user identity is passed.
In some embodiments, the confirmation module is configured to: if the first user information and the second user information are confirmed to be inconsistent, the verification result of the user identity is failed; and sending the verification result to the client.
In some embodiments, the transmitting module is configured to: acquiring a service identification number in the original service data; randomly generating and storing the service virtual identification number corresponding to the service identification number; and replacing the service identification number with the service virtual identification number to obtain the target service data.
In some embodiments, the apparatus further comprises: an authentication module configured to: receiving login authentication operation sent by the client, wherein the login authentication operation carries user identity information, and the user identity information comprises a login name and a password; when the verification result of the user identity information is confirmed to be passed, encrypting the user identity information by using an encryption key to obtain the session token; randomly generating and storing a user virtual identification number corresponding to the user real identification number; and sending the session token and the user virtual identification number to the client.
In a third aspect, some embodiments of the present application provide a computer-readable storage medium on which a computer program is stored, which when executed by a processor, may implement the method according to any of the embodiments of the first aspect.
In a fourth aspect, some embodiments of the present application provide an electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the program, may implement the method according to any of the embodiments of the first aspect.
In a fifth aspect, some embodiments of the present application provide a computer program product comprising a computer program, wherein the computer program, when executed by a processor, is adapted to implement the method according to any of the embodiments of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of some embodiments of the present application, the drawings that are required to be used in some embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that for a person skilled in the art, other relevant drawings can be obtained from these drawings without inventive effort.
FIG. 1 is one of the system diagrams of data access provided by some embodiments of the present application;
FIG. 2 is a second system diagram of data access provided by some embodiments of the present application;
fig. 3 is a flowchart of a method for user identity authentication according to some embodiments of the present application;
FIG. 4 is one of the flow diagrams of a method of data access provided by some embodiments of the present application;
FIG. 5 is a second flowchart of a method of data access provided by some embodiments of the present application;
FIG. 6 is a block diagram of an apparatus for data access provided by some embodiments of the present application;
fig. 7 is a schematic diagram of an electronic device according to some embodiments of the present application.
Detailed Description
Technical solutions in some embodiments of the present application will be described below with reference to the accompanying drawings in some embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
In the related technology, the unauthorized access is due to careless mistakes when the permission check is performed on the client request, so that the user can access the data of other users with the same permission or users with higher permission roles. Malicious triggering and exploitation of the unauthorized vulnerability can affect the normal operation of the system and cause unsafe user data. The horizontal unauthorized means that data of other accounts with the same authority can be operated through unauthorized operation. The users belong to the same role and have the same authority level, and when the users access data, only whether the users have the role authority of accessing the data is verified, but the authority setting for the accessible data range is not carried out, so that the user A can check the data of the user B.
In the prior art, after the web layer receives the operation request, before the operation corresponding to the operation request is executed, the validity of the request needs to be checked. One way of checking is: and inquiring whether the resources of the application program needing to be operated currently belong to the user which is logged in currently. Or whether the resources of the application program which needs to be operated currently can allow other users to operate. The other checking mode is as follows: the web layer passes the information of the login user to an SQL (Structured Query Language) layer for checking, for example, a user may be added to the original SQL to limit the operation on the web application resource.
However, in the first verification method, the web layer needs to perform verification operation on each operation request, and as the service system becomes more and more complex, the data volume becomes more and more huge, and the method is low in efficiency and tedious. And the service logic coupling degree is high, and the database query is needed, so that the access efficiency cannot be guaranteed. In another checking method, although no additional Java code and additional database query are added, an additional user table needs to be associated, which increases the complexity of SQL. Moreover, sometimes a SQL is required to be shared by multiple pieces of logic, for example, if the a module needs to be authenticated, and the B module does not need to be authenticated, a copy of the same SQL needs to be rewritten or a branch is added to the SQL, so that the SQL becomes more difficult to understand and maintain. In addition, the method cannot distinguish the two abnormal operation conditions of no data or no authority, only can feed back the prompt of abnormal operation, and the user experience is poor.
In view of this, some embodiments of the present application provide a data access method, where after receiving a service request carrying a session token and a virtual identification number of a user, the method verifies the identity of the user, and obtains original service data corresponding to the service data request after the verification is passed. And processing the service data to obtain target service data and sending the target service data to the client. Some embodiments of the application perform hidden transmission on user identity information of a client or important real information of original service data in the data access process, improve the data access efficiency, improve the security of data access, effectively prevent the unauthorized data access hole, and have high practicability.
The following describes an exemplary configuration of a system for data access provided by some embodiments of the present application with reference to fig. 1.
As shown in fig. 1, some embodiments of the present application provide a system for data access, comprising: a client 100 and a server 200. Wherein, the client 100 and the server 200 can perform two-way communication. The client 100 may send a service request carrying the session token, the user virtual identification number, and the service data request to the server 200. After receiving the service data request, the server 200 verifies the user identity of the client 100 by using the session token and the user virtual identification number, and acquires the original service data corresponding to the service data request after the verification is passed. The server 200 replaces the service identification number in the original service data with the service virtual identification number to obtain the target service data, and sends the target service data to the client 100.
As shown in fig. 2, in some other embodiments of the present application, there is provided a system for data access, including: client 100, server 200, and security gateway 300. During data access, the client 100 and the server 200 need to perform data transmission through the security gateway 300. For example, client 100 may send a service request carrying a session token, a user virtual identification number, and a service data request to security gateway 300. After receiving the service data request, the security gateway 300 verifies the user identity of the client 100 by using the session token and the user virtual identification number, forwards the service data request to the server 200 after the verification is passed, and the server 200 sends the original service data corresponding to the service data request to the security gateway 300. The security gateway 300 replaces the service identification number in the original service data with the service virtual identification number to obtain the target service data, and sends the target service data to the client 100.
Through the data access system provided by some embodiments of the application, the real service identification number in the original service data can be replaced and transmitted in a hidden manner, so that the security of data access is improved, the efficiency is higher, and the data unauthorized access vulnerability is effectively prevented.
The implementation of data access performed by the server 200 provided by some embodiments of the present application is illustrated below in conjunction with the data access system of fig. 1 and fig. 4.
In some embodiments of the present application, before performing the method of data access, the server 200 may first authenticate the user identity of the client 100, please refer to fig. 3, where fig. 3 is a flowchart of a method of user identity authentication provided in some embodiments of the present application, and a specific process of user identity authentication is as follows:
s301, receiving a login authentication operation sent by a client, wherein the login authentication operation carries user identity information, and the user identity information comprises a login name and a password.
For example, in some embodiments of the present application, the client 100 initiates a login authentication operation to the server 200, where the login authentication operation includes a user real ID (Identity document, as a specific example of a user real ID) and an authentication password.
S302, when the verification result of the user identity information is confirmed to be passed, encrypting the user identity information by using an encryption key to obtain the session token;
for example, in some embodiments of the present application, after the server 200 confirms that the user real ID and the authentication password are correct, the token is obtained by encrypting the user real ID and the authentication password with an encryption key (as a specific example of the session token).
S303, randomly generating and storing a user virtual identification number corresponding to the user real identification number;
for example, in some embodiments of the present application, the server 200 generates a random temporary user uuid (as a specific example of the user virtual identification number) corresponding to the user real ID by using a random algorithm, and caches the mapping relationship between the user real ID and the user uuid locally in the server 200, so as to achieve the purpose of replacing the user real ID with the user uuid.
S304, the session token and the user virtual identification number are sent to the client.
For example, in some embodiments of the present application, the server 200 may return the user uuid and token to the client 100, where only the user uuid, not the user real ID, is shown in the page of the client 100.
In another embodiment of the present application, the client 100 may send the login authentication operation to an API gateway (as a specific example of the security gateway 300), the API gateway forwards the login authentication operation to the server 200, and the server 200 notifies the API gateway after the login authentication operation is verified. The API gateway can encrypt the user identity information by using the encryption key to obtain token, and randomly generate the user uuid to be stored locally in the API gateway. The API gateway returns the user uuid and token to the client 100, and at this time, only the user uuid is shown in the page of the client 100, not the user real ID, so that the secure display of the data is ensured.
Referring now to fig. 4, fig. 4 is a flow chart of a method for accessing data according to some embodiments of the present application. The following exemplifies the implementation of data access.
S410, receiving a service request sent by a client, wherein the service request carries a session token, a user virtual identification number and a service data request, and the user virtual identification number is randomly generated based on a user real identification number.
For example, in some embodiments of the present application, when a user of the client 100 needs to access data of the server 200, the server 200 may receive a service request carrying a token, a user uuid, and a service data request, which are sent by the client 100.
And S420, acquiring original service data corresponding to the service data request under the condition that the verification result of the user identity of the client is confirmed to be passed through the session token and the user virtual identification number.
For example, in some embodiments of the present application, the server 200 may verify the user identity of the client 100 through the token and the user uuid, and obtain corresponding original service data only when the verification result is passed.
In some embodiments of the present application, S420 may include: decrypting the session token by using the decryption key, and acquiring first user information in the session token after decryption is successful; searching second user information corresponding to the user virtual identification number; and if the first user information is confirmed to be consistent with the second user information, the verification result of the user identity is passed.
For example, in some embodiments of the present application, the server 200 decrypts the token with a local decryption key to obtain the first user real ID. The server 200 searches for a corresponding second user real ID stored locally through the user uuid. If the first user real ID and the second user real ID are consistent, it may be determined that the user identity of the client 100 and the previously authenticated user are the same user and have the data access right. The encryption key and the decryption key of the server 200 may be symmetric keys or asymmetric encryption and decryption keys, which is not limited in this application.
In some embodiments of the application, a method of data access includes: if the first user information and the second user information are confirmed to be inconsistent, the verification result of the user identity is failed; and sending the verification result to the client.
For example, in some embodiments of the present application, if the first user real ID and the second user real ID are not consistent, it may be determined that the user identity of the client 100 is not the same user as the previously authenticated user, and at this time, there may be a vulnerability of unauthorized access, so that the client 100 needs to be notified and data access is denied.
S430, processing the original service data to obtain target service data, and sending the target service data to the client.
For example, in some embodiments of the present application, the server 200 may perform replacement processing on the original service data to obtain target service data, so as to implement secure transmission and display of the target data. For example, important information in the original service data may be replaced with meaningless identifiers or virtual data, so as to obtain replaced target service data.
In some embodiments of the present application, S430 may include: acquiring a service identification number in the original service data; randomly generating and storing the service virtual identification number corresponding to the service identification number; and replacing the service identification number with the service virtual identification number to obtain the target service data.
For example, in some embodiments of the present application, the service end 200 filters out the important service real ID (as a specific example of the service identification number) in the original service data. Then, a corresponding service uuid (as a specific example of the service virtual identification number) is randomly generated for each service real ID by using a random algorithm, and the corresponding relationship between each service real ID and the service uuid is stored locally at the server 200. And finally, replacing each service real ID with the corresponding service uuid to obtain target service data, and sending the target service data to the client 100. The service uuid in the target service data received and displayed by the client 100 is not the service real ID, so that the security display of the data can be realized, and the situation that the data is accessed without authorization can be prevented.
The interactive process of data access performed by client 100, server 200, and security gateway 300 provided by some embodiments of the present application is illustratively set forth below in conjunction with the data access system of FIG. 2 and FIG. 5.
Referring to fig. 5, fig. 5 is a flowchart of a method for accessing data according to some embodiments of the present application.
The following exemplifies a scenario of accessing student data information, and exemplifies a process of data access provided by some embodiments of the present application.
It should be noted that, before the following method embodiments are performed, the security gateway 300 and the server 200 have completed authentication of the user identity, and have sent the user uuid and token to the client 100.
S510, the client 100 sends a service request to the security gateway 300, wherein the service request carries the session token, the user virtual identification number and the service data request.
For example, as a specific example of the present application, the client 100 sends a list service request (as a specific example of the service request) to the API gateway, where the list service request carries a token, a user uuid, and a list data request (as a specific example of the service data request). The API gateway receives a list service request.
S520, the security gateway 300 verifies the session token and the user virtual identification number, and sends the service data request to the server 200 after the verification is passed.
For example, as a specific example of the present application, the API gateway encrypts the token to obtain the user real ID, and finds the userID through the user uuid. The authentication of the client 100 is characterized as passing in the case where the user true ID and the userID are the same. The API gateway forwards the list data request to the server 200. For example, the real ID of the user is wang, the uuid of the user is a111, and the userID corresponding to a111 is wang.
S530, the server 200 obtains the original service data corresponding to the service data request.
For example, as a specific example of the present application, the server 200 searches the database for the list data to request the corresponding student list data (as a specific example of the original business data). For example, student list data is shown in table 1:
TABLE 1
Student ID Name (I) Age (age)
1001 Zhang San 12
1002 Li Si 14
S540, the server 200 sends the original service data to the security gateway 300.
For example, as a specific example of the present application, the API gateway receives student list data sent by the server 200.
S550, the security gateway 300 acquires the service identification number in the original service data, and randomly generates and stores the service virtual identification number.
For example, as a specific example of the present application, the API gateway screens out student IDs (as a specific example of the business identification numbers) from the student list data, namely 1001 and 1002 in the student list data. The API gateway randomly generates the ID of the student: 1001 corresponding student temporary ID: a01 (as a specific example of the service virtual identification number), the student temporary ID corresponding to the student ID 1002: a02 (as a specific example of a service virtual identification number).
S560, the security gateway 300 replaces the service identification number with the service virtual identification number to obtain the target service data.
For example, as a specific example of the present application, a target student list (as a specific example of target business data) obtained by replacing student IDs in student list data is shown in table 2:
TABLE 2
Student ID Name (I) Age (age)
a01 Zhang San 12
a02 Li Si 14
S570, the security gateway 300 sends the target traffic data to the client 100.
For example, as a specific example of the present application, the client 100 may receive and expose a target student list sent by the API gateway.
In addition, in other embodiments of the present application, if the client 100 needs to obtain detailed information of a certain student (for example, home address information or score information), the client 100 may send a service request carrying a token, a user uuid, a student temporary ID, and a student detailed data request to the API gateway 300, and a subsequent processing procedure is similar to the principle of S520 to S570, and is not described herein for avoiding repetition.
As can be seen from the above description of some embodiments of the present application. The real ID in the response data (as a specific example of the original target data) in all authentication or service requests is replaced by the random temporary uuid, and the ID values obtained by the client 100 for the same service data request each time are different, so that the real ID is hidden or replaced, and the protection of sensitive data is realized. And sending a service request (the service request carries token) through the user uuid, and verifying the token to realize token authorization verification. The method comprises the steps of obtaining user information in the token, obtaining corresponding userId and ID information through a temporary user uuid, checking whether the user information in the token is consistent with the userId or not, and achieving verification whether current operation is the same user or not. The appearance of the horizontal override loophole can be effectively avoided through the three modes. If the real ID does not need to be replaced and hidden, a method without replacement and hiding can be selected for data access, flexible adjustment is achieved, and a pluggable effect is achieved.
Referring to fig. 6, fig. 6 illustrates a block diagram of an apparatus for data access provided by some embodiments of the present application. It should be understood that the data access apparatus corresponds to the above method embodiments, and can perform the steps related to the above method embodiments, and the specific functions of the data access apparatus can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy.
The data access apparatus of fig. 6 includes at least one software function module that can be stored in a memory in the form of software or firmware or solidified in the data access apparatus, the data access apparatus including: a receiving module 610, configured to receive a service request sent by a client, where the service request carries a session token, a user virtual identification number and a service data request, where the user virtual identification number is randomly generated based on a user real identification number; a confirmation module 620, configured to obtain, when confirming that the verification result of the user identity of the client passes through the session token and the user virtual identification number, original service data corresponding to the service data request; a sending module 630, configured to process the original service data to obtain target service data, and send the target service data to the client.
In some embodiments of the present application, the confirmation module 620 is configured to: decrypting the session token by using the decryption key, and acquiring first user information in the session token after decryption is successful; searching second user information corresponding to the user virtual identification number; and if the first user information is confirmed to be consistent with the second user information, the verification result of the user identity is passed.
In some embodiments of the present application, the confirmation module 620 is configured to: if the first user information and the second user information are confirmed to be inconsistent, the verification result of the user identity is failed; and sending the verification result to the client.
In some embodiments of the present application, the sending module 630 is configured to: acquiring a service identification number in the original service data; randomly generating and storing the service virtual identification number corresponding to the service identification number; and replacing the service identification number with the service virtual identification number to obtain the target service data.
In some embodiments of the present application, before the receiving module 610, the means for data access further comprises: an authentication module (not shown in the figures) configured to: receiving a login authentication operation sent by the client, wherein the login authentication operation carries user identity information, and the user identity information comprises a login name and a password; when the verification result of the user identity information is confirmed to be passed, encrypting the user identity information by using an encryption key to obtain the session token; randomly generating and storing a user virtual identification number corresponding to the user real identification number; and sending the session token and the user virtual identification number to the client.
Some embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor can implement the operations of the method corresponding to any of the above-mentioned methods provided by the above-mentioned embodiments.
Some embodiments of the present application further provide a computer program product, which includes a computer program, wherein the computer program, when executed by a processor, can implement the operations of the method corresponding to any of the above-mentioned methods provided by the above-mentioned embodiments.
As shown in fig. 7, some embodiments of the present application provide an electronic device 700, the electronic device 700 comprising: a memory 710, a processor 720 and a computer program stored on the memory 710 and executable on the processor 720, wherein the method of any of the embodiments described above can be implemented when the processor 720 reads the program from the memory 710 via the bus 730 and executes the program.
Processor 720 may process digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a architecturally reduced instruction set computer architecture, or an architecture that implements a combination of multiple instruction sets. In some examples, processor 720 may be a microprocessor.
Memory 710 may be used to store instructions that are executed by processor 720 or data related to the execution of the instructions. The instructions and/or data may include code for performing some or all of the functions of one or more of the modules described in embodiments of the application. The processor 720 of the disclosed embodiments may be configured to execute instructions in the memory 710 to implement the methods illustrated above. Memory 710 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory known to those skilled in the art.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "...," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.

Claims (12)

1. A method of data access, comprising:
receiving a service request sent by a client, wherein the service request carries a session token, a user virtual identification number and a service data request, and the user virtual identification number is randomly generated based on a user real identification number;
acquiring original service data corresponding to the service data request under the condition that the verification result of the user identity of the client is confirmed to be passed through the session token and the user virtual identification number;
and processing the original service data to obtain target service data, and sending the target service data to the client.
2. The method of claim 1, wherein the confirming that the verification of the user identity of the client is a pass through by the session token and the user virtual identification number comprises:
decrypting the session token by using the decryption key, and acquiring first user information in the session token after decryption is successful;
searching second user information corresponding to the user virtual identification number;
and if the first user information is confirmed to be consistent with the second user information, the verification result of the user identity is passed.
3. The method of claim 2, wherein the method further comprises:
if the first user information and the second user information are confirmed to be inconsistent, the verification result of the user identity is failed;
and sending the verification result to the client.
4. The method according to claim 1 or 2, wherein the processing the original service data to obtain the target service data comprises:
acquiring a service identification number in the original service data;
randomly generating and storing the service virtual identification number corresponding to the service identification number;
and replacing the service identification number with the service virtual identification number to obtain the target service data.
5. The method of claim 1 or 2, wherein prior to receiving the service request sent by the client, the method further comprises:
receiving login authentication operation sent by the client, wherein the login authentication operation carries user identity information, and the user identity information comprises a login name and a password;
when the verification result of the user identity information is confirmed to be passed, encrypting the user identity information by using an encryption key to obtain the session token;
randomly generating and storing a user virtual identification number corresponding to the user real identification number;
and sending the session token and the user virtual identification number to the client.
6. An apparatus for data access, comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is configured to receive a service request sent by a client, the service request carries a session token, a user virtual identification number and a service data request, and the user virtual identification number is randomly generated based on a user real identification number;
a confirmation module configured to acquire original service data corresponding to the service data request when confirming that the verification result of the user identity of the client passes through the session token and the user virtual identification number;
and the sending module is configured to process the original service data to obtain target service data and send the target service data to the client.
7. The apparatus of claim 6, wherein the confirmation module is configured to:
decrypting the session token by using the decryption key, and acquiring first user information in the session token after decryption is successful;
searching second user information corresponding to the user virtual identification number;
and if the first user information is confirmed to be consistent with the second user information, the verification result of the user identity is passed.
8. The apparatus of claim 7, wherein the confirmation module is configured to:
if the first user information and the second user information are confirmed to be inconsistent, the verification result of the user identity is failed;
and sending the verification result to the client.
9. The apparatus of claim 6 or 7, wherein the transmitting module is configured to:
acquiring a service identification number in the original service data;
randomly generating and storing the service virtual identification number corresponding to the service identification number;
and replacing the service identification number with the service virtual identification number to obtain the target service data.
10. The apparatus of claim 6 or 7, wherein the apparatus further comprises: an authentication module configured to:
receiving login authentication operation sent by the client, wherein the login authentication operation carries user identity information, and the user identity information comprises a login name and a password;
when the verification result of the user identity information is confirmed to be passed, encrypting the user identity information by using an encryption key to obtain the session token;
randomly generating and storing a user virtual identification number corresponding to the user real identification number;
and sending the session token and the user virtual identification number to the client.
11. A computer-readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, performs the method of any one of claims 1-5.
12. An electronic device comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the computer program, when executed by the processor, performs the method of any one of claims 1-5.
CN202211678550.XA 2022-12-26 2022-12-26 Data access method and device, storage medium and electronic equipment Pending CN115987650A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211678550.XA CN115987650A (en) 2022-12-26 2022-12-26 Data access method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211678550.XA CN115987650A (en) 2022-12-26 2022-12-26 Data access method and device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN115987650A true CN115987650A (en) 2023-04-18

Family

ID=85975471

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211678550.XA Pending CN115987650A (en) 2022-12-26 2022-12-26 Data access method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115987650A (en)

Similar Documents

Publication Publication Date Title
US11223614B2 (en) Single sign on with multiple authentication factors
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
EP3453136B1 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
US9641521B2 (en) Systems and methods for network connected authentication
US8332627B1 (en) Mutual authentication
KR102202547B1 (en) Method and system for verifying an access request
CN110990827A (en) Identity information verification method, server and storage medium
CN111901346B (en) Identity authentication system
JP2011515961A (en) Authentication storage method and authentication storage system for client side certificate authentication information
US20180262471A1 (en) Identity verification and authentication method and system
CN111460410A (en) Server login method, device and system and computer readable storage medium
CN106992978B (en) Network security management method and server
CN108667800B (en) Access authority authentication method and device
CN110807210B (en) Information processing method, platform, system and computer storage medium
CN112261103A (en) Node access method and related equipment
KR102062851B1 (en) Single sign on service authentication method and system using token management demon
CN115987650A (en) Data access method and device, storage medium and electronic equipment
US11936651B2 (en) Automated account recovery using trusted devices
KR102542840B1 (en) Method and system for providing finance authentication service based on open api
KR20190049177A (en) Web browser based FIDO authentication method and apparatus
CN117061248B (en) Data security protection method and device for data sharing
JP7403430B2 (en) Authentication device, authentication method and authentication program
Mashima et al. User-centric identity management architecture using credential-holding identity agents
CN102427461A (en) Method and system for realizing Web service application security
US20220417020A1 (en) Information processing device, information processing method, and non-transitory computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination